Splunk Search

Help With Extractions Involving Microsoft AV Hashes

Path Finder

Inconsistency with file names coming from Microsoft AV hashes is causing alerts to populate null results when firing off after a file has been quarantined.

Currently, we are matching the hashes based on a lookup that is generated by a saved search. We are having problems with our regex expression because the file names within the WinEvent Log message are not consistent. We are trying to extract the file name. Most of the time, our regex is successful in pulling out the file name for the field. However, there are times when the file name is not extracted properly due to the format of the log being different (returning values that append (GZIP) or other characters). The main problem is that we are seeing it showing the entire zip location and not just the actual file itself.

Any suggestions to this would be awesome. The query being used to look at these events and extraction, then outputting to a lookup is:

This report runs every 5 minutes and scans for new files and hashes.

index=wineventlog (sourcetype="WinEventLog:System" OR sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational") EventCode=1120 (SourceName="Microsoft Antimalware" OR SourceName="Microsoft-Windows-Windows Defender") earliest=-5m@m latest=@m
| rex field=Threat_resource_path "(?[^\\]
$)"
| stats count BY file_name ComputerName Hashes
| fields - count
| inputlookup append=t .csv
| dedup ComputerName Hashes
| outputlookup .csv

Example of a log that has trouble with extraction:

02/20/2020 02:20:44 AM
LogName=Microsoft-Windows-Windows Defender/Operational
SourceName=Microsoft-Windows-Windows Defender
EventCode=1120
EventType=4
Type=Information
ComputerName=
User=NOT_TRANSLATED
Sid=
SidType=0
TaskCategory=None
OpCode=Info
RecordNumber=33310
Keywords=None
Message=Windows Defender Antivirus has deduced the hashes for a threat resource.
Current Platform Version: 4.18.1911.3
Threat resource path: C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f_019fa8->(GZip)
Hashes: SHA1:5b803dc7f6c6ahashgoesheree0efadfbf6c5ba834;

The file_name extraction wants to pull the entire f_019fa8->(GZip) as opposed to just f_019fa8. 😞

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust
| makeresults
| eval Threat_resource_path="C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f_019fa8->(GZip)"
| rex field=Threat_resource_path "^.*\\\(?<fname>\w+)"

There are various regular expressions.

View solution in original post

SplunkTrust
SplunkTrust
| makeresults
| eval Threat_resource_path="C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f_019fa8->(GZip)"
| rex field=Threat_resource_path "^.*\\\(?<fname>\w+)"

There are various regular expressions.

View solution in original post

SplunkTrust
SplunkTrust

Try | rex field=Threat_resource_path "(?<file_name>[^\\]+)[-$]"

---
If this reply helps you, an upvote would be appreciated.

Path Finder

Thank you Rich. This extraction worked 🙂

0 Karma

Builder

Knowing that the greater than (>) symbol is illegal in Windows filenames, you could modify you regex thusly:

| rex field=Threat_resource_path "(?<fname>[\w\:\.\\\-\s]+)\>?"

Then you merely need to pull the final hyphen )-), if there is one:

| eval fname=rtrim(fname,"-")

There's probably an even snazzier way to do this with just a regex - but this works

Path Finder

Thank you! Along with the regex, the rtrim idea does what is needed!

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!